CVE-2022-2422

Feathers - SQL injection via attribute aliases

CVE

CVE-2022-2422

Title

Feathers - SQL injection via attribute aliases

Case

DIVD-2022-00020

Credits

Discovered by Thomas Rinsma and Kevin Valk (Codean) (finder)

Affected products

Product	Affected	Unaffected	Unknown
Feather js Feathers-Sequalize	>= 6.x to < 6.3.4 (custom)
Feather js Feathers-Sequalize

CVSS

Base score: 10 (CRITICAL)

References

https://csirt.divd.nl/DIVD-2022-00020 ( third-party-advisory )
https://csirt.divd.nl/CVE-2022-2422 ( third-party-advisory )

Problem type(s)

CWE-89 SQL Injection

Date published

24 Oct 2022 22:00 UTC

Last modified

02 Jan 2024 18:32 UTC

Description

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

JSON version.

DIVD CSIRT

CVE-2022-2422

Feathers - SQL injection via attribute aliases

Description